Vulnerability DatabaseCVE-2023-28158
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-28158
Published:March 29, 2023
Updated:April 14, 2026
Privilege escalation via stored XSS using the file upload service to upload malicious content. The issue can be exploited only by authenticated users which can create directory name to inject some XSS content and gain some privileges such admin user.
Related Resources (8)
https://nvd.nist.gov/vuln/detail/CVE-2023-28158
https://github.com/apache/archiva/commit/ee3ee0a18977b67b6997ea8cd023816201059f96
https://github.com/apache/archiva/releases/tag/archiva-2.2.10
http://www.openwall.com/lists/oss-security/2023/04/18/2
https://lists.apache.org/thread/8pm6d5y9cptznm0bdny3n8voovmm0dtt
https://github.com/apache/archiva/commit/d62e81c7e75f617cf01d2a75952a2c857758f8c4
https://github.com/apache/archiva
https://github.com/apache/archiva/commit/e7f7e70992d361d8b7a3298ddcdf49dda2fdc842
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
LOW
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79
EPSS
Base Score:
0.31